Cisco fixed a cross-site scripting (XSS) vulnerability affecting the Web management interface of Cisco AsyncOS, the operating system used for some security appliances.
The flaw, CVE-2014-3289, reported by William Costa back on February 17 impacts Cisco Email Security Appliance (ESA) 8.0 and earlier, Cisco Web Security Appliance (WSA) 8.0 and earlier, and Content Security Management Appliance (SMA) 8.3 and earlier.
Cisco did not offer any details about the vulnerability. However, an advisory published on Tuesday by the CERT at Carnegie Mellon University said the issue has an impact on the “reports overview” page of the AsyncOS management interface. An attacker could execute arbitrary code in the context of the end-user’s Web browser session through the “date_range” parameter by convincing the victim to access a malicious link, the report said.
Cisco said users should update their AsyncOS installations as soon as possible. As a workaround for organizations that are unable to update the software, CERT recommends restricting connections from untrusted hosts and networks in order to prevent an attacker from accessing the Web interface using stolen credentials.
In March, Cisco addressed an issue where an attacker could have exploited a vulnerability to execute arbitrary code with root privileges.
Users should take XSS vulnerabilities seriously as they could lead to problems for an organization. In one case, Twitter had to shut down its TweetDeck application after an attacker exploited an XSS flaw to create a network worm.